Twitter and Jott Vulnerable to SMS and Caller ID Spoofing

by Nitesh Dhanjani

Both Twitter and Jott authenticate users by their phone number. Twitter does this by validating users based upon the source of SMS messages sent to the phone number 40404 (US), and Jott does this by trusting the incoming Caller ID when someone calls 877-568-848. From a security perspective this means the following:

Anyone who knows your phone number can update your Twitter page by spoofing a SMS message, i.e. post a Twitter entry as you.

Anyone who knows your phone number can spoof his or her caller ID to send a Jott message as you.

6 Comments

chris sivori
2007-04-10 21:20:01

Amazing exploit. You would think this would be harder.

brian orourke
2007-04-11 00:54:47

I hope you notified twitter as a simple courtesy before posting this exploit.

Nitesh
2007-04-11 06:26:35

@brian:

Yes I did. Quote from my post above:

I have let the folks at Twitter know about this security issue - they sent me an email few days ago to let me know they are looking into it.

Scott Lamb
2007-04-11 11:31:20

Trendy Web 2.0 sites aren't the only ones using this insecure method. My newspaper uses such a system to suspend/resume delivery, and my bank uses it for ATM card activation.

You could maintain security if (a) you always have easy access to spoofing, and (b) they don't use your phone number for any other purpose. Just come up with a true secret and send the messages from that number.

Alex Payne
2007-04-11 13:44:43

I'm an engineer at Obvious and I work on Twitter.

We're working on implementing the PIN-based solution suggested in this article, and we've deployed some other protections against spoofing in the meantime. I don't think we were given nearly enough time to respond before this article was published, but that's my personal opinion and not the opinion of Obvious.

The "spoofability" of SMS and other mobile services is a problem that needs to be solved at the carrier level, not by individual applications. It doesn't take a genius to see that if every SMS-based application out there is vulnerable to spoofing, it's probably a protocol-level flaw. Applications like Twitter can put a band-aid on this flaw, but it's not the right architectural solution.

That said, doing the research involved to make a security recommendation to the mobile carriers would have taken real effort on the part of the author. Why bother when cheap hacks like this are easy and fun?

Nitesh
2007-04-11 15:42:03

I don't think we were given nearly enough time to respond before this article was published, but that's my personal opinion and not the opinion of Obvious.

When I informed Biz and help@twitter.com, I was absolutely clear in stating my responsible disclosure policy: http://www.wiretrip.net/rfp/policy.html

The "spoofability" of SMS and other mobile services is a problem that needs to be solved at the carrier level, not by individual applications.

SMS was never designed to be used for authentication, just as the From: address in a email was never designed to be something to authenticate against.

That said, doing the research involved to make a security recommendation to the mobile carriers would have taken real effort on the part of the author. Why bother when cheap hacks like this are easy and fun?

That is like saying: the folks who designed the SMTP protocol should go back and change the RFC to accommodate applications that are poorly designed such that they trust the "From" header.

And I thought the folks at Twitter would owe me gratitude for pointing this out to them and explaining the exact steps on how it can be abused. With this sort of an attitude, security researchers will be more inclined to publish the issues without even informing you.

Sign up today to receive special discounts, product alerts, and news from O'Reilly.